Appfluence Responsible Disclosure Policy

Important: Program on pause. Appfluence is currently undergoing a significant architectural upgrade to enhance the security and performance of our system. In order to focus on this critical endeavor, we have made the decision to put our Bug Bounty Program on hold indefinitely until the upgrade is finalized. During this period, we will not be accepting new submissions under the program. We appreciate the valuable contributions made by the security research community and look forward to resuming the program once our system enhancements are complete. Please keep an eye on this page for updates, and thank you for your understanding and cooperation.

At Appfluence, we value the security of our users, and we recognize the role that security researchers play in ensuring that Priority Matrix maintains the highest standards of security. We are committed to collaborating with this community to verify, reproduce, and respond to any legitimate reported vulnerabilities.

To encourage responsible disclosure, we've established a Bug Bounty Program that rewards security researchers for identifying and reporting vulnerabilities in our software. This policy outlines the guidelines of this program.


This program strictly applies to our SaaS tool Priority Matrix (domains and Any vulnerabilities identified in our marketing website, staging or development environments, corporate infrastructure, or any other non-essential systems, fall outside this policy and will not be eligible for a reward.


We offer a scaled reward system for vulnerabilities reported:

  • Medium severity: $50 USD
  • High severity: $100 USD
  • Critical severity: $200 USD

The severity level will be determined by our team upon reviewing the report, taking into account the risk and potential impact associated with the vulnerability. The severity score will be weighed by its ease of exploitation. For example, a high-severity vulnerability could be downgraded to medium or low if it requires a potential victim to perform multiple steps in order to work. We will make our best effort to classify the severity of the reported vulnerability. Please note that our decision cannot be appealed.

The following is a guideline and some examples of our severity classification process. Note that the examples are given as general guidance and are not a guarantee of classification or reward:

  • Critical: Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices. Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user into performing any special functions. Example: Remote Code Execution, SQL Injection, Server-Side Request Forgery.
  • High: The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime. Example: Cross Site Scripting (XSS), Server-Side Template Injection, XML External Entity (XXE) attacks.
  • Medium: They may require the attacker to manipulate individual victims via social engineering tactics. Denial of service vulnerabilities that are difficult to set up. Exploits that require an attacker to reside on the same local network as the victim. Exploitation provides only very limited access. Require user privileges for successful exploitation. Example: Cross-Site Request Forgery (CSRF), Clickjacking, Unvalidated Redirects and Forwards.
  • Low: Low-severity vulnerabilities may not directly lead to data loss or server compromise, but could potentially provide information or access that could be used in conjunction with other vulnerabilities to escalate to a higher severity level. These could include vulnerabilities such as exposure of non-sensitive data, version leaks, and non-exploitable Cross-Site Scripting (XSS) vulnerabilities, for example, those that only affect outdated browsers.

Please note that we do not offer rewards for reports of low severity or for outdated library versions. We have established processes to mitigate these publicly known issues. Additionally, in order to qualify, reports need to refer to exploitable vulnerabilities, not mitigated by additional security measures, such as 2FA.

The Bug Bounty Program does not imply a guarantee of payment. Even if all program conditions are met, any reward decision remains at the discretion of Appfluence.

In addition to monetary rewards, each valid submission may receive a free, one-year license to Priority Matrix Business, our highest-value offering.


To report a vulnerability, please:

  1. Email your findings to Please include as much information as possible about the vulnerability, including the steps to reproduce it.
  2. Allow us a reasonable amount of time to address the issue before you disclose it elsewhere.
  3. Ensure that your testing does not violate any laws, or disrupt or compromise any data that is not your own.


To qualify for a reward, you must:

  1. Be the first person to report a valid, complete report about a specific vulnerability. Note that a vulnerability might have been reported and captured internally already, even if it’s not yet resolved. This means that, since we aim to process submissions in the order that we receive them, it’s possible that a submission is not considered valid because another (still unprocessed) submission has addressed the specific issue in your report.
  2. Report an issue that’s significantly different from others already in the system. For example, and issue with /api/XYZ will not be considered valid if an equivalent issue was already reported for /api/ABC.
  3. Provide sufficient information to enable us to reproduce and understand the vulnerability.
  4. Not disclose the vulnerability to others outside Appfluence, even beyond the verification process.
  5. Not exploit the vulnerability beyond what is necessary to produce a proof-of-concept.
  6. Not violate any laws during your testing.
  7. Not have any familial, business, or personal friendship relationships with Appfluence staff.

Explicit exceptions and considerations

The following exceptions to the rules above apply:

  1. Vulnerabilities that are reasonably similar to one another will be considered as a single submission.
  2. Vulnerabilities that arise from users storing malicious files will not be considered valid for the purpose of this program.
  3. CSV formula injection vulnerabilities are explicitly disallowed and will not be considered valid for the purpose of this program.
  4. If during the process of vulnerability discovery, researchers were to cause service disruption or in any other way harm Appfluence customers, no reward will be granted regardless of the severity level.
  5. Reports that are solely based on automated tools without verification or demonstration of the exploitability of the issue will not be considered valid.
  6. Findings related to software or systems not under Appfluence’s control, such as third-party components or services, will not be eligible for rewards.
  7. Issues that only affect users on outdated or unsupported platforms or browsers will not be considered for a reward.
  8. Vulnerabilities that rely solely on social engineering tactics without involving any technical flaws in the system will be excluded.
  9. Issues related to best practices, code quality, or those that require an unrealistic or highly contrived scenario to exploit will not be considered valid.
  10. Any vulnerability requiring local access to a user’s network, or Appfluence’s premises will not be eligible for a reward.


You must comply with all applicable laws in connection with your participation in this program. You are responsible for any tax implications or additional restrictions related to rewards in your country of residence. The preferred payment method is by credit card, so it is recommended that you provide a suitable payment link, for example via Stripe, Square or similar.

Appfluence reserves the right to modify, adjust, or terminate this program at any time, without explanation or warning.

We thank you for your valuable contribution towards keeping Priority Matrix secure and ensuring the safety of our users!